Unix/Linux accounts integrated within AD?

Hello,

First of all, thank you very much for your help wit my question about
GPOs and so on... your answers helped me a lot...

Now I have the following question: I have found that my organization
has several kind of OS installed on computers... most of them are
W2K/W2K3 integrated within a W2K domain...

Since admins have to remember lots of accounts/passwords for the W2K*
servers, and the others with Linux, HP-UX, Solaris, etc... I have
found that most of the passwords are too simple, and repeated all over
the non-W2K* systems...

I have tried with a password manager, but some times we lost a
valuable time searching for the strong password for one system at the
password manager software...

Is there anyway to integrate the OS accounts of UNIX-like sysetms with an AD?

Best regards

Centrify < http://www.centrify.com/ >

It will allow your unix/linux machines to play nicely in the Active
Directory Kerberos environment.

saqib
http://security-basics.blogspot.com/


On 8/28/07, Dummy cerberus <dummycerberus@...> wrote:

--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

I don't know 100% if this will work, but try setting up kerberos client utilities on your Unix boxes and point them at your ad server.  Hopefully it should at least validate the user on the Unix box.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Dummy cerberus" <dummycerberus@...>

Date: Wed, 29 Aug 2007 08:44:03
To:security-basics@...
Subject: Unix/Linux accounts integrated within AD?


Hello,

First of all, thank you very much for your help wit my question about
GPOs and so on... your answers helped me a lot...

Now I have the following question: I have found that my organization
has several kind of OS installed on computers... most of them are
W2K/W2K3 integrated within a W2K domain...

Since admins have to remember lots of accounts/passwords for the W2K*
servers, and the others with Linux, HP-UX, Solaris, etc... I have
found that most of the passwords are too simple, and repeated all over
the non-W2K* systems...

I have tried with a password manager, but some times we lost a
valuable time searching for the strong password for one system at the
password manager software...

Is there anyway to integrate the OS accounts of UNIX-like sysetms with an AD?

Best regards

On Wed, 29 Aug 2007, Dummy cerberus wrote:

Did you have a look at PADL? They may have what you are looking for:

http://www.padl.com/

> Best regards

--
Serguei A. Mokhov            |  /~\    The ASCII
Computer Science Department  |  \ / Ribbon Campaign
Concordia University         |   X    Against HTML
Montreal, Quebec, Canada     |  / \      Email!

On Aug 29, 2007, at 2:44 AM, Dummy cerberus wrote:

> Is there anyway to integrate the OS accounts of UNIX-like sysetms  
> with an AD?

Yes, you can configure your UNIX system to use RADIUS authentication  
and then implement IAS (included with Windows) to enable a RADIUS  
server that's integrated your domain. It works quite well and is  
fairly straight forward to configure.

Cheers,

--
Daniel Miessler
E: Daniel@...
W: http://dmiessler.com
G: 0xD4A8FFF6

The short answer is yes

There are several ways to do this and several whitepapers and a few
books on it (I've read two books on it, one by Mark Minasi called Linux
for Windows Administrators, and another excellent one by Jeremy
Moskowitz
(http://www.amazon.com/Windows-Linux-Integration-Hands-Solutions-Environ
ment/dp/0782144284) on integrating Windows and Linux environments, and
both are very good.  The latter one has more detail on integration than
the former,and there are many, many other books on the subject.

On method is to enable LDAP on the non-Windows side and then use LDAP
tools (on the Windows or Linux side) to manage the users and passwords.
You can also install Services for Unix (or whatever it is called
depending on the version) and manage the whole thing from Windows.

There are many other methods. All of them take a little work, and none
of the solutions are perfect. For the most part you don't get things
like Group Policy on the Linux side (unless you buy Novell's SUSE), but
you can manage user accounts, passwords, and the like across
environments. Plenty of caveats, but its easier than managing two
different systems.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, CISA, MCSE: Security (2000/2003), CEH, yada...yada...
*email: roger_grimes@... or roger@...
*Author of Windows Vista Security: Securing Vista Against Malicious
Attacks (Wiley)
*http://www.amazon.com/Windows-Vista-Security-Securing-Malicious/dp/0470
101555
*****************************************************************


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Dummy cerberus
Sent: Wednesday, August 29, 2007 2:44 AM
To: security-basics@...
Subject: Unix/Linux accounts integrated within AD?

Hello,

First of all, thank you very much for your help wit my question about
GPOs and so on... your answers helped me a lot...

Now I have the following question: I have found that my organization has
several kind of OS installed on computers... most of them are
W2K/W2K3 integrated within a W2K domain...

Since admins have to remember lots of accounts/passwords for the W2K*
servers, and the others with Linux, HP-UX, Solaris, etc... I have found
that most of the passwords are too simple, and repeated all over the
non-W2K* systems...

I have tried with a password manager, but some times we lost a valuable
time searching for the strong password for one system at the password
manager software...

Is there anyway to integrate the OS accounts of UNIX-like sysetms with
an AD?

Best regards

HOWTO: Configure Ubuntu for Active Directory Authentication
http://developer.novell.com/wiki/index.php/HOWTO:_Configure_Ubuntu_for_Active_Directory_Authentication

cheers
Ivan

On 8/29/07, Dummy cerberus <dummycerberus@...> wrote:

Dummy:  (I love that :) your worse than I am ).

There is a simple way when using Windows server 2003 with R2, on the R2 Disk
you must install the extensions for active directory and configure Pam on
Unix side.
references:

http://support.microsoft.com/kb/921913/en-us

Hello Dummy Cerberus,

This is one of most common issue with organizations having two or more
OSes. So there are solutions or work-arounds for such situations. One
of the secured way of integrating UNIX OS to authenticate with
Microsoft Active Directory is as follows:

Note:

Kindly note, that the information provided below, should be tested in
a test environment strictly before bringing it to production or
operational environment. The solution provided is just an work-around
and is not exact; it might vary according to your flavor of Linux and
your practical hands-on on Linux or UNIX based machines.

Kindly follow the instructions provided below on your own risk, since
I am not responsible for any damage or mis-configuration.

Download and install following softwares as per given steps.

Step 1: Install MIT Kerberos V5. (Download: http://web.mit.edu/kerberos/)

Step 2: Install OpenLDAP with options to enable null, disable bdb, and
no TLS (Download: http://www.openldap.org/)

Step 3: Install SAMBA (Download: http://www.samba.org/). Now onwards
steps are little tedious.

3.1: Unpack and set the CFLAGS environment variable to "-O2"
3.2: Set the CPPFLAGS environment variable to "-I/opt/local/include"
3.3: Set the LDFLAGS environment variable to "-L/opt/local/lib
-Wl,-R/opt/local/lib"
3.4: Now from the source directory shoot something similar or
appropriate to your custom installation like this:

./configure --prefix=/opt/local --exec-prefix=/opt/local/samba
--with-sslinc=/opt/local/ssl/include --with-ssllib=/opt/local/lib
--with-included-popt --with-smbwrapper --with-pam --with-ldap
--with-ads --with-winbind --with-krb5=/opt/local
--with-logfilebase=/var/log --with-automount --with-syslog

3.5: Then as usual 'make' followed by 'make install'.

Step 4: Now configure your server to add Active Directory DNS Suffix
in search statement in /etc/resolv.conf on the Linux/UNIX machine.

Step 5: Then add domain settings into your Kerberos config file
(default location: /opt/local/etc/krb5.conf)

Ex:
[libdefaults]     default_realm = MY.DOMAIN.CO.IN

[realms]     MY.DOMAIN.CO.IN = {kdc = dc1.my.domain.co.in}

[domain_realms]     .kerberos.server = MY.DOMAIN.CO.IN

Step 6: Now configure your SAMBA server as password server by
including following mentioned points in your samba config file
(default location: /opt/local/samba/lib/smb.conf)

WORKGROUP = DOMAIN
REALM = my.domain.co.in
SECURITY = ADS
PASSWORD SERVER = dc1.my.domain.co.in
ENCRYPT PASSWORD = yes
ALLOW TRUSTED DOMAINS = yes
USERNAME MAP = /opt/local/samba/lib/user.map

Step 7: Now map your Active Directory Usernames to respective UNIX
usernames in the file mentioned for 'username map' in smb.conf file
just in step above.

Ex: unix_user_name = ms-ad-user@DOMAIN

OR unix_user_name = DOMAIN\ms-ad-user

Step 8: Start and Stop smbd, nmbd and winbindd

Step 9: Now, if everything has gone correct till now, then join the
SAMBA server to Active Directory.

9.1: /opt/local/bin/kinit Domain_Admin@...
9.2: Now if the SAMBA server is able to talk and understand the AD
communication, it'll prompt for password for the username supplied
(which is the Domain Administrator Credentials).
9.3: /opt/local/samba/bin/net ads join DomainAdmin

Step 10: Now restart all the SAMBA related daemons/services.

Step 11: Test and verify the configuration for all users in Active Directory.

As you all can see, its very complicated to setup and establish a
perfect configuration for enabling UNIX/Linux based machines to
integrate with Microsoft Active Directory.

To avoid all these, there are products out in market, which enables
this integration happen within minutes, that too without much hick-ups
and errors.

Some of them I am mentioning below, however I haven't yet used them:

1. Quest Software's Vintela Authentication Services -
http://www.quest.com/Vintela-Authentication-Services/

2. Centrify DirectControl - http://www.centrify.com/directcontrol/overview.asp

3. Centeris Likewise - http://www.centeris.com/products/

4. Also you can explore Microsoft Services for UNIX, which is free and
built-in into Microsoft Server OSes.

5. Other alternative option is to use 'Fedora Directory Service (FDS)'
- http://directory.fedoraproject.org/

All the mentioned stuffs I had written down long back in my notes
while searching on Google for UNIX and Microsoft AD integration. So
there might be updated or more robust, easy and secured method
available somewhere than the one I mentioned above.

----
Nikhil Wagholikar
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com


On 8/29/07, Dummy cerberus <dummycerberus@...> wrote:

Indeed there is a way using samba you can read about it in good, I started
here: http://www.netadmintools.com/art172.html



Cheers,

Liran Cohen
RCT Internet solutions.
http://dir.rct.co.il
http://www.rct.co.il 


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Dummy cerberus
Sent: Wednesday, August 29, 2007 9:44 AM
To: security-basics@...
Subject: Unix/Linux accounts integrated within AD?

Hello,

First of all, thank you very much for your help wit my question about
GPOs and so on... your answers helped me a lot...

Now I have the following question: I have found that my organization
has several kind of OS installed on computers... most of them are
W2K/W2K3 integrated within a W2K domain...

Since admins have to remember lots of accounts/passwords for the W2K*
servers, and the others with Linux, HP-UX, Solaris, etc... I have
found that most of the passwords are too simple, and repeated all over
the non-W2K* systems...

I have tried with a password manager, but some times we lost a
valuable time searching for the strong password for one system at the
password manager software...

Is there anyway to integrate the OS accounts of UNIX-like sysetms with an
AD?

Best regards

On Wed, 29 Aug 2007 04:44:03 pm Dummy cerberus wrote:
Microsoft AD uses Kerberos (v5) authentication and *nix systems can be
configured to use Kerberos as an authentication scheme. The
ActiveDirectoryHowto goes into more detail:

https://help.ubuntu.com/community/ActiveDirectoryHowto

--
Regards,

Steve
Bathurst Computer Solutions
URL: www.bathurstcomputers.com.au
e-mail: steve@...
Mobile: 0407 224 251
.... _
... (0)>
... / / \
.. / / . )
.. V_/_
Linux Powered!
Registered Linux User #355382
*********************************************
"If you read the same things as others
and say the same things they say, then
you're perceived as intelligent. I'm a
bit more independent and radical and
consider intelligence the ability to
think about matters on your own and
ask a lot of skeptical questions to
get at the real truth, not just what
you're told it is."
Apple's Inventor - Steve Wozniak 2006
*********************************************

yes, there are specific products from the market that addresses your need, products such as

http://www.quest.com/Vintela-Authentication-Services/

http://www.centrify.com/directcontrol/overview.asp

Cheers,

- S

Have a look at centrify:

http://www.centrify.com/

Cheers,

Jarrod Smithers

Senior Technical Analyst - Ripon Technology Centre
Wolseley  P.O. Box 21 * Boroughbridge Road * Ripon * North Yorkshire * HG4
1SL *

T: +44 (0) 1765 696575 * F: +44 (0) 1765 694349

E: jarrod.smithers@...  

www.wolseley.com


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of liran
Sent: 31 August 2007 16:07
To: 'Dummy cerberus'; security-basics@...
Subject: RE: Unix/Linux accounts integrated within AD?

Indeed there is a way using samba you can read about it in good, I started
here: http://www.netadmintools.com/art172.html



Cheers,

Liran Cohen
RCT Internet solutions.
http://dir.rct.co.il
http://www.rct.co.il 


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Dummy cerberus
Sent: Wednesday, August 29, 2007 9:44 AM
To: security-basics@...
Subject: Unix/Linux accounts integrated within AD?

Hello,

First of all, thank you very much for your help wit my question about
GPOs and so on... your answers helped me a lot...

Now I have the following question: I have found that my organization
has several kind of OS installed on computers... most of them are
W2K/W2K3 integrated within a W2K domain...

Since admins have to remember lots of accounts/passwords for the W2K*
servers, and the others with Linux, HP-UX, Solaris, etc... I have
found that most of the passwords are too simple, and repeated all over
the non-W2K* systems...

I have tried with a password manager, but some times we lost a
valuable time searching for the strong password for one system at the
password manager software...

Is there anyway to integrate the OS accounts of UNIX-like sysetms with an
AD?

Best regards

This e-mail is confidential and may also be privileged. Please notify us immediately if you are not the intended recipient. You should not copy it, forward it or use it for any purpose or disclose the contents to any person. If you have received this e-mail in error, please notify us as soon as possible on +44 (0)118 929 8700 and destroy your copy.
<br><br>
Unless otherwise expressly stated, this e-mail is not intended to constitute a business letter, order form or other offer or invitation to you, nor does this e-mail form the basis of any contract. Contracts may not be concluded by e-mail and any contract or agreement attached is subject to contract and shall not and is not intended to create a legally binding relationship.
<br><br>
This e-mail is sent by or on behalf of Wolseley plc or the relevant subsidiary undertaking of Wolseley plc with which you are dealing. Wolseley plc is registered in England and Wales with company number 29846 and registered office at Parkview 1220, Arlington Business Park, Theale, Reading, RG7 4GA, United Kingdom.
<br><br>
This e-mail has been scanned by the Symantec Mail Gateway Security Appliance for all known viruses, Wolseley plc has taken reasonable precautions to ensure no viruses are present in this email and does not accept responsibility for any loss or damage arising from the use of this email or attachments.